CVE-2026-46509
Deferred Deferred - Pending Action
Prototype Pollution in deepobj JavaScript Library

Publication date: 2026-05-28

Last updated on: 2026-06-01

Assigner: GitHub, Inc.

Description
deepobj provides get, set, delete deep objects in javascript. Prior to 1.0.3, prototype pollution is possible when property paths contain __proto__/constructor/prototype. The property path must not be exposed as user input. This vulnerability is fixed in 1.0.3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-01
Generated
2026-06-18
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-46509
EUVD
EUVD-2026-32976
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
deepobj deepobj to 1.0.3 (exc)
ranfdev deepobj to 1.0.3 (exc)
ranfdev deepobj 1.0.3
ranfdev deepobj 1.0.4
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1321 The product receives input from an upstream component that specifies attributes that are to be initialized or updated in an object, but it does not properly control modifications of attributes of the object prototype.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows attackers to manipulate object prototype attributes, potentially leading to unauthorized data modification and impacting data integrity.

Such unauthorized modifications could pose risks to compliance with standards and regulations like GDPR and HIPAA, which require protection of data integrity and prevention of unauthorized data alteration.

However, the provided information does not explicitly state the direct impact on compliance with these standards.

Executive Summary

The vulnerability exists in the deepobj library versions prior to 1.0.3. It allows prototype pollution when property paths contain special keywords like __proto__, constructor, or prototype. This means an attacker could manipulate the prototype of JavaScript objects if these property paths are exposed as user input.

Impact Analysis

This vulnerability can impact you by allowing an attacker to modify the prototype of JavaScript objects, which can lead to unexpected behavior or security issues in your application. According to the CVSS score, it has a high impact on integrity and a low impact on availability, meaning attackers can alter data or behavior without needing privileges or user interaction.

Detection Guidance

Detection of this vulnerability involves identifying usage of the vulnerable deepobj package versions (1.0.2 and below) in your environment.

You can check the installed version of deepobj in your project by running the following command in your project directory:

  • npm list @ranfdev/deepobj

If the version is 1.0.2 or below, your system is vulnerable.

Additionally, you can search your codebase for usage of property paths containing __proto__, constructor, or prototype to identify potential exposure to prototype pollution.

  • grep -rE '__proto__|constructor|prototype' ./
Mitigation Strategies

The primary mitigation step is to upgrade the deepobj package to version 1.0.4 or later, where the prototype pollution vulnerability has been fixed.

Additionally, ensure that property paths used in your application are not derived from untrusted user input to prevent exploitation.

If upgrading immediately is not possible, review and sanitize any inputs that could be used as property paths to block special keywords like __proto__, constructor, and prototype.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46509. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart